I was hoping the fine folks here might be able to answer a question about understanding how remote code exploits work. Assuming that the machine is running windows XP/Vista/7 on a x86 platform with all service packs, patches and updates with no TCP/IP services and no server applications running then how can it be possible to take advantage of such a box remotely ? Then is it possible that a zero day exploit would be needed in order to access this typical box ?

Please note that I have no interest nor intentions in hacking into anyone box but would like to understand the logic behind how remote code exploits work...

Even if you are not running any other services (such as a web server, ftp server) you still have the built in Microsoft Services and applications running. Take for example MS08-067, this issue allowed an attacker to take advantage of the way that the Server service handles RPC requests. The attacker was able to execute code on the remote PC by exploiting this flaw.

This issue was patched a long time ago so shouldn’t be an issues anymore. To take advantage of a PC like the one you are talking about most of the time it would take a Zero Day or for the machine to be missing a critical patch.

If you have a quick google you will find heaps of examples of how this is done.

Last edited by S3curityM0nkey on Mon Aug 27, 2012 11:15 pm, edited 1 time in total.

Doesn't even have to be server software. A vulnerable music player can load a a specially crafted MP3 file, which in turn executes code and opens a backdoor to the computer. Almost everyone installs third party software, so there's the chance that something installed is vulnerable to something.

From what I've been reading, many exploits are the result of getting the user to click your infected site and take advantage of a browser flaw, Java exploit, Flash Player, PDF reader....as shadowzero said, no run runs vanilla Windows with no third party apps installed. Just might take some Social Engineering.

all of patchs, updates, service packs can help u to improve security but it dosent mean ur completely secure. For example if u installed adobe reader u can create an infected pdf file using metasploit send it to the target and get some access but maybe u'll get error or failure it depends on many things security world is so complex

There are lots way client side attack are most common here an email please Click my link you can also use metasploit to try encode and make exe or pdf. Then you have the Social engineer toolkit that mainly focus on client side attacks.

This is one of the reasons why a risk analysis and defense in depth are so important. Focus your security efforts on the most important assets and understand that even then there will still be a way for a determined attacker to get what they want. Your best bet is to secure them so well that the time and money required for a succesfull attack is not worth what they are after.

However if you are a high profile target like a government agency or army, all bets are off....

shadowzero wrote:Doesn't even have to be server software. A vulnerable music player can load a a specially crafted MP3 file, which in turn executes code and opens a backdoor to the computer. Almost everyone installs third party software, so there's the chance that something installed is vulnerable to something.

This is true. It doesn't always have to occur remotely. However, it' my appear more attractive and alluring to do so.